The Apache Web server provides administrators with an extremely flexible access control system that allows the delegation of access control to those responsible for maintaining individual directories.

    Requires Free Membership to View

This is ideal for Web servers run by Internet Service Providers, educational institutions and others with a need to support Web pages maintained by large numbers of users.

This access control system uses files known as .htaccess files stored in each directory of the Web server. These files contain explicit access control entries that either grant or deny access to users or groups of users based upon their IP address, authentication status or other criteria.

While it's true that .htaccess files provide a powerful option for the delegation of security control, it's essential that administrators who don't require that level of delegation disable this functionality. Putting security control of various directories in the hands of numerous people (particularly those unskilled in the art of information security!) represents a tremendous risk to the entire system.

Fortunately, disabling .htaccess files on a global basis is extremely easy. Just use the following statement in your Apache server configuration file:

<Directory />
AllowOverride None
</Directory>

It's important to ensure that your server is configured properly and that this is the only AllowOverride statement. It is permissible to override this general directive and enable .htaccess files for particular directories that require their use. In fact, this is the preferred method of enabling .htaccess when circumstances warrant. Simply set the global AllowOverride setting to None, and then provide a list of exceptions to the general rule.

Think carefully before allowing users to implement .htaccess files on your server. Is it really necessary? Unless each user requesting such access can provide a specific justification, it's safe to err on the side of denying such requests.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.


This was first published in November 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.